[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do tool verify certs with ldapi:// ?



Michael StrÃder wrote:
> => StartTLS over LDAP is undefined and probably every API should simple refuse
> it at all or accept any server cert. In both cases the underlying LDAPI
> channel is fully trusted anyway.
> 
> If the client really would like to implement an additional *security* check
> that a rogue attacker did not trick the client to connect to another Unix
> domain socket (MITM service) checking the server's identity by matching
> "localhost" also does not make sense to me.

A rough idea:
GeneralName can be an URI. So the LDAPI URI should be in subjectAltName
extension and checked by the client (if some name has to be checked at all).
Anything else is nonsense.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature